Tools Used for Dumping of RDPCreds via comsvcs.dll

Remote Desktop Protocol (RDP) is commonly used by administrators to manage Windows environments remotely. It is also typical for RDP to be enabled in systems that act as a jumpstation to enable users to reach other networks.

Background

Despite the fact that this protocol is widely used, it is frequently not hardened or monitored properly. From the attacker’s perspective dumping credentials from the lsass process can lead either to lateral movement across the network or directly to full domain compromise if credentials for the domain admin account have been stored. As we saw in our previous blog, the Local Security Authority Subsystem Service (LSASS) is the Microsoft Windows process that handles all user authentication, password changes, access token creation, and security policy enforcement. It stores a variety of hashed passwords and, in some cases, plaintext user passwords. Because it contains valuable data such as encrypted passwords, NT hashes, LM hashes, and Kerberos tickets that can be used for privilege escalation, data theft, and lateral movement, LSASS is a lucrative target for adversaries.

Dumping via comsvcs.dll

The “comsvcs.dll” can be found in every Windows system and has an export called minidump that can be used to dump processes by their PID. This is also a very popular choice among malware authors. The command line should be written in the following way: rundll32.exe comsvcs.dll MiniDump <lsass PID> <out path> full It is a stealthy method to dump Lssas credentials as it uses legitimate DLL to perform the task

Lsassy

Apart from the manual method mentioned above, Lssasy is a python tool that has the capability to automate the process of dumping LSASS from the memory. By default, it uses the comsvcs.dll minidump function to dump the credentials from the memory.  This method can only be used when the context has SeDebugPrivilege. This privilege is either in Powershell local admin context or the cmd.exe SYSTEM context. The command line for dumping credentials using Lssasy is, lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>

Detection Techniques

To detect the dumping of LSASS credentials through this technique, we can monitor for the execution of a process that seems to be rundll32.exe along with a command line containing the term MiniDump. process == rundll32.exe && command_line_includes (‘MiniDump’) Another way to detect adversaries abusing LSASS is to understand what tools or processes routinely access LSASS Memory for legitimate reasons and then build detection logic for anything that deviates from that. The following is a generic example of a detection opportunity built around obviously suspicious cross-process events. process == (‘powershell.exe’ || ‘taskmgr.exe’ || ‘rundll32.exe’ || ‘procdump.exe’ || ‘procexp.exe’ || [other native processes that don’t normally access LSASS]) && cross_process_handle_to (‘lsass.exe’) Apart from these detection techniques, here are a few telemetries for monitoring:

• Process monitoring: Process monitoring can be helpful for monitoring the rundll32.exe process whenever it starts. EDR, Sysmon Event IDs 1 and 10, and Windows Event ID 4688 should collect relevant telemetry.
• Command monitoring:  Command-line logging will capture the context of what is executed. EDR, Sysmon Event ID 1, and Windows Event ID 4688 should collect relevant telemetry.
• Module monitoring: This can help in monitoring loading of comsvcs.dll via rundll32.exe process. EDR and Sysmon Event ID 7 should collect relevant telemetry.
• File monitoring: File monitoring can help in monitoring the write operation for of the dump file C:\Windows\Temp\lsass.dmp.

Splunk query for detection

name: Dump LSASS via comsvcs DLL id: 8943b567-f14d-4ee8-a0bb-2121d4ce3184 version: 2 date: ‘2020-02-21’ author: Patrick Bareiss, Splunk type: TTP datamodel: – Endpoint description: Detect the usage of comsvcs.dll for dumping the lsass process. search: ‘| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`’ how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. known_false_positives: None identified. references: – https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ – https://twitter.com/SBousseaden/status/1167417096374050817 tags: analytic_story: – Credential Dumping – Suspicious Rundll32 Activity – HAFNIUM Group – Living Off The Land – Industroyer2 asset_type: Endpoint cis20: – CIS 3 – CIS 5 – CIS 16 confidence: 100 context: – Source:Endpoint – Stage:Credential Access dataset: – https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques /T1003.001/atomic_red_team/windows-sysmon.log impact: 80 kill_chain_phases: – Actions on Objectives message: An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$. mitre_attack_id: – T1003.001 – T1003 nist: – DE.CM observable: – name: user type: User role: – Victim – name: dest type: Hostname role: – Victim – name: parent_process_name type: Process role: – Parent Process – name: process_name type: Process role: – Child Process product: – Splunk Enterprise – Splunk Enterprise Security – Splunk Cloud required_fields: – _time – Processes.dest – Processes.user – Processes.parent_process_name – Processes.parent_process – Processes.original_file_name – Processes.process_name – Processes.process – Processes.process_id – Processes.parent_process_path – Processes.process_path – Processes.parent_process_id risk_score: 80 security_domain: endpoint supported_tas: – Splunk_TA_microsoft_sysmon Sigma rule for detection and prevention title: Lsass Memory Dump via Comsvcs DLL id: a49fa4d5-11db-418c-8473-1e014a8dd462 description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. status: experimental date: 2020/10/20 modified: 2021/06/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: – attack.credential_access – attack.t1003.001 references: – https://twitter.com/shantanukhande/status/1229348874298388484 – https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ logsource: category: process_access product: windows detection: selection: TargetImage|endswith: ‘\lsass.exe’ SourceImage: ‘C:\Windows\System32\rundll32.exe’ CallTrace|contains: ‘comsvcs.dll’ condition: selection falsepositives: – Unknown level: critical;.